Project Mortar wants Pepper API Flash & PDFium in Firefox

PDFium is the Google open-source project for PDF support in Google Chrome. PDFium was previously closed-source based upon Foxit PDF technology while now it’s been fully open-source since 2014.

The Pepper API Flash implementation is also what’s used by Google’s Chrome web-browser. By switching to the PAPI-based Flash, Firefox would be able to finish getting rid of their NPAPI support with the Firefox Flash support still relying upon it with Shumway and other projects not panning out.

On 12 August 2009, a page on Google Code[20] introduced a new project, Pepper, with the associated Pepper Plugin API (PPAPI);[21] PPAPI is a derivative of NPAPI aimed to make plugins more portable and more secure.[22] This extension is designed specifically to ease the implementation of out-of-process plugin execution.

There’s also the fact that on pretty much everything but Windows and OS X, the only officially supported version of Flash from Adobe is the PAPI one. The NAPI version still gets security fixes, but it’s not high priority and isn’t getting much else.

There’s also the fact that on pretty much everything but Windows and OS X, the only officially supported version of Flash from Adobe is the PAPI one.

I’ve been under the impression that they’ve pretty much been ignoring Flash everywhere save Windows and OS X. Sure, they increment a version number for Linux but none of the supposed improvements ever really seem to make it into them. Heck, even OS X doesn’t get the love; just watch what Flash will do to your Mac’s battery life.

The Linux NAPI version has been EOL for multiple years now. Like I said, it’s security fixes only. The PAPI version still works and appears to still be getting updates, although I don’t really pay much attention since the only sites I ever see any Flash stuff on anymore are using it for either advertising or tracking, both of which I already have forcibly disabled.

As far as OS X, Adobe’s never really cared all that much about Apple when it comes to end-users, and most cross-platform 3rd-party software will nuke your battery life on a Mac anyway.

TBH though, I think they’re finally realizing that people don’t care as much about Flash anymore. You can do peretty much everything possible in Flash with HTML5 and JS, and now that most of the big streaming sites have switched, a significant majority of end-users don’t ever actually use Flash on websites on a day-to-day basis anymore. Most of the developers I see writing stuff ot use it are just too lazy to learn anything other than ActionScript, and the last time I saw any kind of ad about a class to learn Flash was at least 3 years ago now. It’s a slow death, but Flash is dying as a technology.

“Dying” isn’t right, but there hasn’t been much in the way of forward progress from Adobe on Flash. They basically threw in the towel after Jobs’ open letter, with the courtesy of letting their partners (and users) know they had done so. Any of the new features in the last few years to the player itself, were just whatever was left in the pipeline, with not much else. Flash Professional has even been renamed to Animate.

Now Adobe does have a long history of supporting it’s obscure tech (they even ported Shockwave to iOS!), and there are still technologies some important partners need that have no open alternatives yet (DRM). So it’s not “dying” but it’s definitely not trying to be the multiplatform webapp (RIA) juggernaut it once made noise about. That ship sailed a LONG time ago.

As far as switching to PAPI, why not? Does anyone use any other NPAPI plugins anymore? While they are at it, why not just ditch Flash – I don’t even have it installed, and I don’t miss it much (except stinkin’ Pandora – why, just why?).

As far as switching to PAPI, why not? Does anyone use any other NPAPI plugins anymore? While they are at it, why not just ditch Flash – I don’t even have it installed, and I don’t miss it much (except stinkin’ Pandora – why, just why?).

I’m not thrilled about it, but I still need Java applets because some products (still) require them for their UIs: DRAC, Firewall, VPN, Spider IP-KVM, AAM automation software. The choice isn’t always mine.

On 12 August 2009, a page on Google Code[20] introduced a new project, Pepper, with the associated Pepper Plugin API (PPAPI);[21] PPAPI is a derivative of NPAPI aimed to make plugins more portable and more secure.[22] This extension is designed specifically to ease the implementation of out-of-process plugin execution. [/q]

I’m not familiar with it either and I’m also curious why PPAPI is better. Is PPAPI fundamentally more secure or is it simply that NPAPI is less secure simply because it’s depreciated and therefor unsupported?

Unfortunately citation [22] is non-public, so I don’t know what it says. (IMHO such citations should be banned from wikipedia)

I found this link, which claims security problems too, but cites no evidence that NPAPI itself is to blame or just the software (ie Flash/Java) running under it, so it’s not clear to me what PPAPI fixes.

[q]Pepper started at Google as a way to address portability and performance issues with NPAPI, particularly for out of process plugins. The initial focused efforts eventually expanded to include capabilities such as generic 2D and 3D graphics and audio.

The first Pepper API designs were created to minimize the changes from legacy NPAPI, hoping to ease adoption by browser vendors and plugin developers. This design was implemented and is available to NaCl modules in Chrome 5. The Pepper APIs were redesigned subsequent to the initial design, deviating more substantially from legacy NPAPI while, hopefully, also improving the interfaces. The revised interfaces are sometimes referred to as â€œPPAPIâ€ or â€œPepper2â€ and should be available in Chrome 6.

Although traditional NPAPI plugins in Chrome run only out of process, Chrome 5 supports Pepper plugins only in process. Being a somewhat experimental feature, the only way to load trusted Pepper plugins is through the browser command-line options. In the future, Pepper plugins will only be supported within Native Client.

So on it’s face it actually sounds less secure. I don’t know though, if anyone knows the differences in detail, please elaborate!

NPAPI has some issues, but PPAPI is not really better unfortunately. Much like how NPAPI is basically a hook into Netscape 2, PPAPI is a hook into Chrome’s WebKit. The API is not very well defined and many plugins use private, undocumented interfaces as well.

If you simply ‘implemented PPAPI’ (which itself is not a well defined action), Flash for PPAPI and the Adobe plugin would still not work, since they use private Chrome/WebKit interfaces as well.

In that way, NPAPI is superior, actually. It is well defined, and is proven to be portable between browsers by having (or at least it had) support in multiple browsers with multiple rendering engines (which PPAPI still has not achieved).

I am using both. Both are Great. You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the future. http://www.delhielite.com